Closed Frando closed 4 years ago
Some more investigations into the transport encryption after the handshake is complete:
The NOISE spec states with regard to transport messages:
A Noise transport message is simply an AEAD ciphertext that is less than or equal to 65535 bytes in length, and that consists of an encrypted payload plus 16 bytes of authentication data. The details depend on the AEAD cipher function, e.g. AES256-GCM, or ChaCha20-Poly1305, but typically the authentication data is either a 16-byte authentication tag appended to the ciphertext, or a 16-byte synthetic IV prepended to the ciphertext. (source)
and also
Applications must handle any framing or additional length fields for Noise messages (source)
(which in my tests was very true - the read_message
method of the transport state in snow can only decrypt messages that are exactly the same messages as created by the write_message
call on the other side, thus needing length-prefixes during transport)
hypercore-protocol in transport uses a streaming XSalsa20 cipher from libsodium, where the docs state:
The ciphertext is the message combined with the output of the stream cipher using the XOR operation, and doesn't include any authentication tag. (source)
So hypercore-protocol follows NOISE for the handshake, but does not use NOISE for the transport encryption, instead it uses XSalsa20 for streaming encryption with no authentication tags and no need for length-delimited messages for the decryption. This means that by-the-spec NOISE frameworks cannot be used for the transport phase of a hypercore-protocol stream.
@mafintosh / @emilbayes: Could you check if these findings about hypercore-protocol are correct, and clarify if there's a reason why hypercore-protocol does not stick to the NOISE spec for the transport phase?
I pushed a client/server example of how far I got with the handshaking, see here for details.
There are some things I did in noise-protocol that are "non-standard" but that I want to fix:
The above points I am going to remedy soon, but these are also the only parts that are noise here. The rest is how hypercore has decided to use noise under various constraints.
I know that hypercore uses "dummy keys" and I think it uses "channel binding" as part of the new capabilities system. The application responsibilities also makes it more tricky to get different implementations to talk to each other: http://www.noiseprotocol.org/noise.html#application-responsibilities
Maybe it's worth it to consider using a pregenerated noise implementation from https://noiseexplorer.com and modify that to how hypercore uses noise?
@emilbayes cool, thanks for this info.
With your standard-dh
branch I got one step forward: Now the handshake between node and rust semi-completes - the initiator finishes correctly, the not-inititiator dies with a decrypt error.
I set up a repo to better test this: https://github.com/Frando/rust-node-noise-handshake
Feel free to chime in there or help to debug :-D could also be a good base for proper integration tests, it has a one-command runner that starts both server and client.
Now some more progress here, yeeha:
https://github.com/Frando/hypercore-protocol-rs
With the standard-dh
branch of noise-protocol in Node.js, and two patches to snow ((1), (2)), I now have a mostly working (yet very basic) implementation of hypercore-protocol 7 (Hypercore 8 / Dat 2) in Rust: Pass the handshake, set up the transport encryption, open channels, verify capabilities and send and receive messages. Next would be to integrate with hypercore!
Also if someone would want to review the API and implementation of the repo linked above, I'd be very interested :smile:
This is all fixed and can be closed :)
See hypercore-protocol-rs. My PRs to snow got merged, and the new Hypercore 9 release switched the handshake algorithm. It also switched the handshake cipher from XChaChaPoly
to ChaChaPoly
, so one of the PRs to snow wasn't even needed in the end.
Anyway - the master branch of hypercore-protocol-rs can handshake, verify cabalities and exchange all messages with a nodejs hypercore now. Once snow gets a new release, I'll publish a first preview release.
For a working Dat2 / hypercore 8 implementation in Rust, we'll have to implement the NOISE handshaking and transport encryption.
I'll document what I found out while looking into this.
I don't think there's any "official" documentation about the NOISE handshake and transport encryption in hypercore yet. Looking into the code reveals:
Noise_XX_25519_XChaChaPoly_BLAKE2
(see noise-protocol/handshake-state and simple-hypercore-protocol/handshake). The handshake uses a state machine module called simple-handshake, which then uses noise-protocol, a Javascript implementation of some parts of the NOISE spec that uses sodium-native for the actual crypto.payload
being transmitted from each side is a protocol buffers encoded message with a 24 byte nonce (random bytes), created in simple-hypercore-protocol/index.jssodium.crypto_stream_xor
(see simple-hypercore-protocol/lib/xor.js and the sodium docs), with instances for receiving and transmitting, where for each the keys are coming from thesplit
result of the NOISE handshake and the nonces are the payloads that were transmitted during the handshake.sodium.crypto_stream_xor
resolves tocrypto_stream_xsalsa20_xor
which, in sodium-native, uses crypto_stream_xsalsa20I tried to connect to a nodejs hypercore-protocol stream from Rust, however I hit a few roadblocks. I started with snow as it seems to be the most complete NOISE impl in rust. Following are, I think, what's missing to make connecting to a hypercore-protocol stream:
XChaChaPoly
cipher. I created an issue for that. There's a rust impl of XChaChaPoly in chacha20poly1305.split
results directly